Wassim Haddad, San Jose US

Wassim Haddad, San Jose, CA US

Patent application number

Description

Published

20100260338

METHOD AND APPARATUS FOR ESTABLISHING A CRYPTOGRAPHIC RELATIONSHIP IN A MOBILE COMMUNICATIONS NETWORK - A method and apparatus for establishing a cryptographic relationship between a first node and a second node in a communications network. The first node receives at least part of a cryptographic attribute of the second node, uses the received at least part of the cryptographic attribute to generate an identifier for the first node. The cryptographic attribute may a public key belonging to the second node, and the identifier may be a Cryptographically Generated IP address. The cryptographic relationship allows the second node to establish with a third node that it is entitled to act on behalf of the first node.

10-14-2010

20100284368

Wireless LAN Mobility - A method of performing hand-off of a Mobile Node from a previous Access Point to a new Access Point within a WLAN domain, where the previous and new Access Points are connected respectively to previous and new Access Routers. The method comprises, following a MAC authentication exchange between the Mobile Node and the new Access Point, sending a MAC Reassociation Request from the Mobile Node to the New Access Point, forwarding said Reassociation Request to said new Access Router, and sending the Reassociation Request from said new Access Router to said previous Access Router within an IP hand-off request, and authenticating the Reassociation Request at the previous Access Router and initiating the tunnelling of IP packets received at the previous Access Router and destined for said Mobile Node, towards said new Access Router.

RE-ESTABLISHMENT OF A SECURITY ASSOCIATION - According to a first aspect of the present invention there is provided a method of re-establishing a session between first and second IP hosts attached to respective first and second IP access routers, the session previously having been conducted via a previous access router to which said first host was attached, and where a security association comprising a shared secret has been established between the hosts. The method comprises sending a connection request from said first host to said first access router, said request containing an IP address claimed by said second host, a new care-of-address for the first host, and a session identifier. Upon receipt of said connection request at said first access router, the router obtains a verified IP address for said second access router and sends an on link presence request to the second access router, the request containing at least an Interface Identifier part of the second host's claimed IP address, said care-of-address, and said session identifier. Said second access router confirms that said second host is attached to the second access router using the claimed Interface Identifier, sending to the second host said care-of-address and said session identifier. The second access router then reports the presence status to said first access router. Said second host uses said session identifier to identify said security association, and updates the binding cache entry for said first host with the new care-of-address.

02-10-2011

20110038377

Method and apparatus for providing host node awareness for multiple NAT64 environments - A method implemented in a host node for communicating with a corresponding node through one of a plurality of available networks that includes: receiving a request to initiate a connection with the corresponding node from an application executing on a host node, sending a request to a DNS64 node for an address of the corresponding node, receiving a virtual IPv6 address for the corresponding node with a generic prefix, selecting a connection to one of the plurality of networks through which the data is to be forwarded to the corresponding node, and sending the data to the corresponding node using a virtual IPv6 address for the corresponding node with the prefix of the NAT64 node in the network of the selected connection, whereby the host node is able to maintain connectivity with the corresponding node despite having connections to the plurality of networks that each have NAT64 nodes.

Key Distribution to a Set of Routers - Before actually communicating information/data between two endpoints (C, S) connected to a network a secure and confidential distribution of a special key (K h) is performed to nodes (R j) along a path in the network. This is allowed by performing a path handshaking procedure in which first a hint token is forwarded along the path in a first direction and then a disclosure token is forwarded in the opposite direction. In forwarding the disclosure token it is verified in the nodes against the already received hint token. This assures that only nodes on the particular path will receive the special key or possibly some other information related thereto.

07-21-2011

20110211553

Enabling IPV6 Mobility with NAT64 - A method for maintaining connectivity between a mobile node and a corresponding node when the mobile node connects to a foreign network, where the foreign network and the home network are Internet protocol version 6 (IPv6) networks but the corresponding node is an Internet protocol version 4 (IPv4) node. The method includes receiving at the home agent node an IPv6 care-of address, determining that the IPv6 care-of address belongs to the foreign network and that the foreign NAT64 node has a prefix to to generate virtual IPv6 addresses and sending a prefix binding request message to a home NAT64 node to bind the prefix to the home address of the mobile node for translation between IPv6 and IPv4.

09-01-2011

20110214175

METHOD FOR MITIGATING ON-PATH ATTACKS IN MOBILE IP NETWORK - In one aspect of the invention, a mobile node (MN) participates in a first return routability procedure with a home agent (HA) and a correspondent node (CN), including generating a first binding management key (Kbm). A first proof of knowledge (PoK) is generated by hashing the first Kbm. The MN participates in a second return routability procedure, including generating a second Kbm. A first binding update and binding acknowledgement (BU/BA) key is generated by hashing the second Kbm and the first PoK. A first binding update (BU) message is transmitted to the CN, where the second BU message is transmitted with the first BU/BA key. In response to a first binding acknowledgement (BA) message received from the CN, the MN authenticates the first BA message using the first BU/BA key.

09-01-2011

20110261753

ENABLING IPv6 MOBILITY WITH SENSING FEATURES FOR AD-HOC NETWORKS DERIVED FROM LONG TERM EVOLUTION NETWORKS - A wireless communication device includes a plurality of different wireless interfaces to facilitate communications with a remote device over a corresponding plurality of networks. The device can switch between the different interfaces to migrate an on-going communications session from one that requires the infrastructure of a fixed wireless communication network to one that does not require the infrastructure of a fixed wireless communication network. Switching between the various interfaces allows the migration to occur while protecting the device against malicious third-party impersonation attacks.

10-27-2011

20110307629

Enhancing DS-Lite with Private IPV4 Reachability - A method implemented in a network element to make a first device assigned an IPv4 private address accessible to a second device using Internet Protocol Version 6 (IPv6), the method comprising receiving an IPv6 formatted data packet, having a virtual IPv6 address as a destination address and having been sent from the second device; determining whether the virtual IPv6 address includes a representation prefix (RP); sending an address map query (AMQ) to a customer premise equipment (CPE), where the CPE stores a mapping between the virtual IPv6 address and a private IPv4 address of the first device; receiving an address map response (AMR) from the CPE with the private IPv4 address corresponding to the virtual IPv6 address; translating the IPv6 formatted data packet into an IPv4 formatted data packet; and sending the translated data packet to the CPE through an IPv4 over IPv6 tunnel.

12-15-2011

20120020284

System and Method for Mobility with a Split Home Agent Architecture Using MPTCP - A method implemented in a network element functioning as a home agent (HA) for a mobile node (MN) communicating with a corresponding node (CN) using Mobile Internet Protocol version 6 (MIPv6), the method including selecting by the HA a virtual home agent (VHA) to provide home agent services to the MN with a better quality of service than the HA based on pre-defined policies, sending a flow switch request (FSR) message to the selected VHA, the FSR message including transmission control protocol (TCP) parameters and the FSR message including a care-of address for the MN and an address of the CN, the FSR message to initiate a flow redirection at the VHA using multi-path TCP exchange, and receiving a flow switch acknowledgement (FSA) message from the VHA indicating that the VHA is receiving data packets from the CN and tunneling the data packets to the MN at the care-of address.

01-26-2012

20120023211

System and Method for Providing Mobility with a Split Home Agent Architecture - A method implemented by a network element functioning as a home agent (HA) for a mobile node (MN) communicating with a corresponding node (CN) using Mobile Internet Protocol version 6 (MIPv6), the method including selecting by the HA a virtual home agent (VHA) in the network to provide home agent services to the MN with a better quality of service than the HA, sending a flow switch request (FSR) message to the selected VHA, the FSR message including a home keygen token, an address of the CN and a care-of address of the MN, the FSR message to cause the selected VHA to direct the CN to send data traffic for the MN to the selected VHA instead of the HA, and receiving a flow switch acknowledgement (FSA) message from the VHA indicating that the selected VHA has successfully redirected the data traffic from the CN to the MN.

01-26-2012

20120099601

CONTROLLING IP FLOWS TO BYPASS A PACKET DATA NETWORK GATEWAY USING MULTI-PATH TRANSMISSION CONTROL PROTOCOL CONNECTIONS - A network element can include a proxy element that is configured to receive a request from a source node to establish a Transmission Control Protocol (TCP) connection from a first network address of the source node through a Packet Data Network Gateway (PDN GW) to a destination node for an IP flow. The proxy element applies an IP flow offloading policy function to determine that the requested TCP connection for the IP flow should bypass the PDN GW. The proxy element responds to the determination by communicating to the destination node a request for TCP connection with a second network address substituted for the first network address of the source node to establish the TCP connection for the IP flow from the source node to the destination node through a broadband network without passing through the PDN GW.

04-26-2012

20120155442

Method and System for Efficient Homeless MPLS Micro-Mobility - A method performed by a network element for providing micro-mobility in a network to a mobile node including the steps of receiving a registration request message at the mobility anchor point from an access router that is currently coupled to the mobile node, wherein the registration request message includes an endpoint identifier of the mobile node and a local care-of address of the mobile node, establishing a label switch path (LSP) between the mobility anchor point and the access router, storing the endpoint identifier in a binding entry along with the local care-of address, a regional care-of address, the label switch path and an egress interface, advertising the endpoint identifier with associated regional or local care-of address of the mobile node, and forwarding data packets, received at the mobility anchor point from a corresponding node that have the regional or local care-of address, to the mobile node using the LSP.

06-21-2012

20120182936

METHOD AND APPARATUS FOR MANAGING THE MOBILITY OF MOBILE NETWORKS - In response to a Mobile Access Router (MAR) initially attaching to a Multi-Protocol Label Switching (MPLS) domain through a first Access Router (AR) in the domain, a Mobility Anchor Point (MAP) in the MPLS domain establishes a plurality of Label Switched Paths (LSPs) for the MAR. For example, the MAP establishes an active LSP to the MAR through the AR to which the MAR has initially attached, and further establishes an inactive LSP for the MAR to each of one or more other ARs in the MPLS domain. An inactive LSP established at a given AR for a given MAR is activated when/if that MAR attaches to the AR. Correspondingly, the present invention includes method and apparatus teachings related to the MAP, ARs and the MAR, as regards establishing inactive LSPs, activating inactive LSPs, and extending an activated LSP to the MAR.

07-19-2012

20120188979

DATA FLOW TRANSFER BETWEEN WIRELESS CONNECTIONS - A method and apparatus taught herein provide for transfer of a data flow between two mobile nodes from a cellular connection supported by a cellular communication network to a non-cellular, ad-hoc connection between the mobile nodes. In one embodiment, a network node configured for operation in the cellular communication network detects that the two mobile nodes have moved within an ad-hoc communication range and transfers the data flow from the cellular connection to the ad-hoc connection responsive to the detection. The network node may include a control circuit to perform the detection, and a communication interface to send control signaling to effectuate the transfer. As a non-limiting example, the network node is a base station in the cellular communication network.

07-26-2012

20120210136

ENABLING SECURE ACCESS TO SENSOR NETWORK INFRASTRUCTURE USING MULTIPLE INTERFACES AND APPLICATION-BASED GROUP KEY SELECTION - A method implemented in a network element for controlling access to a set of resources on a per-application basis, the set of resources including subsets of the resources where each subset is accessible to a set of one or more applications through the use of a separate group key, the method comprising the steps of receiving an authentication request from a node communicatively connected to the network element through a first network interface of the network element, the authentication request including a certificate for the node, validating the certificate for the node, determining that the certificate has been authorized for the set of one or more applications through a query of a certificate database, retrieving each group key that corresponds to the set of one or more applications through a query of a group key database, and returning each group key retrieved from the group key database to the node.

08-16-2012

20120275392

METHODS FOR ASSIGNING RADIO RESOURCES FOR MOBILE DEVICES CONNECTED TO A MOBILE COMMUNICATION MODULE AND RELATED SYSTEMS AND DEVICES - Methods of assigning radio resources in a wireless communications network with user equipment are provided. The methods include connecting a user equipment unit to a vehicle having a mobile communication module associated therewith. The user equipment unit is authenticated at the vehicle and is associated with the user equipment unit with the vehicle. Connection credentials are received at the mobile communication module from the user equipment unit if the user equipment unit is authenticated and associated. At least one wireless interface is activated at the mobile communication module responsive to the received connection credentials. A local wireless connection is established between the user equipment unit and the mobile communication module associated with the vehicle using the at least one wireless interface. Related mobile communication modules and intermediary devices are also provided.

11-01-2012

20120287932

Label Switched Routing To Connect Low Power Network Domains - A network element is described. In one embodiment includes receiving a packet from the host in the first domain at the network element in the first domain, the packet including a destination address to the host in the second domain, the destination address being formed by replacing an Interface Identifier of an IP address by a second domain label and a shortened Media Access Control (MAC) address, the second domain label identifying the second domain. A routing label and the shortened MAC address are attached to the received packet, and the packet is sent on a label switched path indicated by the label to the second domain.

11-15-2012

20120322413

Trust Discovery in a Communications Network - A method and apparatus to establish trust between two nodes in a communications network. A first node receives from a network node authentication data unique to the first node, which can be used to derive a compact representation of verification data for the first node. The first node also receives a certified compact representation of verification data of all nodes in the network. The first node derives trust information from the authentication data for the node, and sends to a second node a message that includes the trust information and part of the authentication data. The second node has its own copy of the certified compact representation of verification data of all nodes in the network, and verifies the authenticity of the message from the first node using the compact representation of verification data of all nodes in the network and the received trust information and authentication data.

12-20-2012

20130091254

Providing Virtualized Visibility Through Routers - A method implemented by a network element to track IPv6 addresses of devices in a home network, wherein the network element provides DHCPv6 service to the home network and a home network router on the home network assigns IPv6 address to the devices using a prefix provided by the DHCPv6 service, the method including receiving a DHCPv6 request for a prefix delegation from a home network router, sending a DHCPv6 message including an assigned prefix to the home network router, the DHCPv6 message including a request for notification of configured IPv6 addresses, receiving a first ICMP message from the home network router, including a MAC address and corresponding IPv6 address for a configured device, and sending the home network router a second ICMP message to acknowledge recording the IPv6 address for the configured device, enabling the network element to provide services and forward traffic directly to the configured device.

04-11-2013

20130091279

Architecture for Virtualized Home IP Service Delivery - A method implemented by a network element of an Internet service provider to provide network access through a visited network associated with a visited network owner to a device of a visiting user connecting to the visited networker. The visited network owner is a customer of the Internet service provider. The network element configures the visited network to provide access to resources of a remote home network to the device of the visiting user. The remote home network is in communication with the visited network over a wide area network. Connecting to a virtual gateway controller of the remote home network to obtain configuration information to establish a connection between the device and the remote home network. Establishing a connection between the device of the visiting user and a second access point. Providing access to the resource of the remote home network through the second access point.

ENABLING SEAMLESS OFFLOADING BETWEEN WIRELESS LOCAL-AREA NETWORKS IN FIXED MOBILE CONVERGENCE SYSTEMS - Methods and apparatus for facilitating access to public wireless access points in a fixed-mobile convergence system. A mobile terminal is pre-provisioned with one or more security parameters corresponding to one or more WLAN access points that the mobile terminal might need to access should a current WLAN access point fail or otherwise become unreachable. The WLAN access points are similarly pre-provisioned with a security parameter corresponding to the mobile terminal. With these pro-provisioned security parameters, the mobile terminal and any one of the potential target WLAN access points conduct an abbreviated authentication process in the event that a switch-over becomes necessary.

08-01-2013

20130223407

SYSTEM AND METHOD FOR MOBILITY WITH A SPLIT HOME AGENT ARCHITECTURE USING MPTCP - A method is implemented in a network element functioning as a control node for a mobile node (MN) communicating with a corresponding node (CN). The method includes selecting a virtual agent in the network to provide mobility services to the MN. The virtual agent represents a set of mobile resources proximate to the MN. The virtual agent is selected such that the MN receives a better quality of service when communicating with the CN through the virtual agent. A provisioning message is sent to the selected virtual agent including parameters for a session between the MN and CN. The provisioning message initiates a flow redirection at the virtual agent. A provisioning acknowledgement message is received from the virtual agent indicating that the virtual agent is receiving data packets from the CN and forwarding the data packets to the MN at the care-of address.

08-29-2013

20130294348

ENABLING IPV6 MOBILITY WITH NAT64 - A method for maintaining connectivity between a mobile node and a corresponding node when the mobile node connects to a foreign network, where the foreign network and the home network are Internet protocol version 6 (IPv6) networks but the corresponding node is an Internet protocol version 4 (IPv4) node. The method includes receiving at the home agent node an IPv6 care-of address, determining that the IPv6 care-of address belongs to the foreign network and that the foreign NAT64 node has a prefix to generate virtual IPv6 addresses and sending a prefix binding request message to a home NAT64 node to bind the prefix to the home address of the mobile node for translation between IPv6 and IPv4.

11-07-2013

20130301651

METHOD AND APPARATUS FOR PROVIDING HOST NODE AWARENESS FOR MULTIPLE NAT64 ENVIRONMENTS - A method is implemented in a host node for communicating with a corresponding node. The host node has connections to a plurality of networks, where each of the plurality of networks includes a network address translation 64 (NAT64) node, each NAT64 node utilizes a distinct prefix to generate virtual Internet Protocol version 6 (IPv6) addresses, each of the plurality of networks is an IPv6 network, but the corresponding node is an Internet protocol version 4 (IPv4) node. The host node implementing this method is able to maintain connectivity with the corresponding node despite having connections to the plurality of networks that each have NAT64 nodes that utilize distinct prefixes for virtual IPv6 addresses.

11-14-2013

20130346788

METHOD AND SYSTEM TO ENABLE RE-ROUTING FOR HOME NETWORKS UPON CONNECTIVITY FAILURE - A method implemented by a Broadband Network Gateway (BNG) of an Internet service provider to provide accessibility to a wide area network for a Residential Gateway (RG) upon a failure of a wireline connectivity between the BNG and the RG, the method including receiving a failure detect message indicating a connectivity failure at the BNG from the RG, deciding whether to re-route traffic by the BNG, sending a failure acknowledge message by the BNG to the RG notifying the RG that re-routing has been initiated, sending a traffic re-route request message by the BNG to a Packet Data Network Gateway (PDN GW) of a Long-Term Evolution (LTE) network requesting the PDN GW to re-route traffic, receiving a traffic re-route acknowledgement by the BNG from the PDN GW, and re-routing traffic between the RG and the BNG through the PDN GW by the BNG.

12-26-2013

20140189160

METHODS AND SYSTEMS FOR SEAMLESS NETWORK COMMUNICATIONS BETWEEN DEVICES RUNNING INTERNET PROTOCOL VERSION 6 AND INTERNET PROTOCOL VERSION 4 - Systems are provided including at least one identifier locator network protocol (ILNP) enabled mobile node running Internet protocol version 6 (IPv6). The mobile node is attached to an IPv6 network in an IPv6 domain. The system includes a virtual root server configured to receive a binding identifiers create (BIC) message from a domain name system 64 (DNS64) server associated with the IPv6 network. The BIC message includes an ILNP address of the mobile node running IPv6, a fake ILNP address of a destination device running IPv4 assigned by the DNS64 server and an ILNP address of the DNS64 server. The fake ILNP address includes a full real address of the destination device. The virtual root server is further configures to create a binding between the ILNP address of the mobile node and the fake ILNP address of the destination device; store the binding; and send a binding identifier acknowledgement (BIA) message to the DNS64 server.

07-03-2014

20140258376

Mist Networks - A method is implemented by a nano-box for providing processing resources to support application execution to a set of devices connected to a network of the nano-box. The method includes receiving application data for an application for a mobile or fixed device. The application is executed using the application data of the mobile or fixed device to generate an output. A handoff notification is received indicating that the root controller has reassigned the application to another nano-box in the set of nano-boxes based on best resource availability and minimum latency. In response, the nano-box updates the application data with a current state of the application and transmits the updated application data over the network to be provided to the other nano-box.

09-11-2014

20140286348

ARCHITECTURE FOR VIRTUALIZED HOME IP SERVICE DELIVERY - A method implemented by a network element of an Internet service provider to provide network access through a visited network associated with a visited network owner to a device of a visiting user connecting to the visited network. The visited network owner is a customer of the Internet service provider. The network element configures the visited network to provide access to resources of a remote home network to the device of the visiting user. The remote home network is in communication with the visited network over a wide area network. Connecting to a virtual gateway controller of the remote home network to obtain configuration information to establish a connection between the device and the remote home network. Establishing a connection between the device of the visiting user and a second access point. Providing access to the resource of the remote home network through the second access point.

09-25-2014

20140328161

ENHANCING A MOBILE BACKUP CHANNEL TO ADDRESS A NODE FAILURE IN A WIRELINE NETWORK - A method performed by a slave network edge node (e.g., a Broadband Network Gateway BNG2) for enhancing a Long Term Evolution (LTE) backup channel in the event of a failure of a master network edge node (e.g., BNG1) in a wireline network. When BNG2 detects the failure of BNG1, BNG2 sends a failure update message to a Packet Data Network Gateway (PDN GW) of an LTE network. The PDN GW provides a backup channel for the CPE to reach the wide area network over a mobile tunnel. Before the failure the mobile tunnel has an end point at BNG1, and the failure update message notifies the PDN GW that the end point of the mobile tunnel has changed from BNG1 to BNG2. After BNG2 receives a failure acknowledgement message from the PDN GW, BNG2 routes the traffic from the PDN GW over the mobile tunnel to the wide area network.

11-06-2014

20150046981

TRUST DISCOVERY IN A COMMUNICATIONS NETWORK - A method and apparatus to establish trust between two nodes in a communications network. A first node receives from a network node authentication data unique to the first node, which can be used to derive a compact representation of verification data for the first node. The first node also receives a certified compact representation of verification data of all nodes in the network. The first node derives trust information from the authentication data for the node, and sends to a second node a message that includes the trust information and part of the authentication data. The second node has its own copy of the certified compact representation of verification data of all nodes in the network, and verifies the authenticity of the message from the first node using the compact representation of verification data of all nodes in the network and the received trust information and authentication data.

02-12-2015

20150047041

METHOD FOR PREFIX REACHABILITY IN A COMMUNICATION SYSTEM - A method, arrangement, and first access router in a packet-switched communication network for determining that a first endpoint originating a communication session with a second endpoint is not initiating a malicious man-in-the-middle attack. The first access router provides access for the first endpoint to the network and a second access router provides access for the second endpoint. The first and second access routers facilitate conducting a secure key exchange between the first and second endpoints, wherein a shared secret key is generated. The first access router utilizes a Prefix Reachability Detection (PRD) protocol to determine the first endpoint is topologically legitimate due to being topologically located behind the first access router, and then sends a Prefix Request Test Initialization (PRTI) message to the second access router indicating the first endpoint is topologically legitimate.